Chinese hackers use the popular VLC media player to hide malware and spy

VLC is a very popular media player and there are several reasons for that: first of all, it is free, open source and available on almost every platform you can imagine. In addition, it can be used for almost any audio or video file. VLC will also not slow down your Windows computer unless, for example, it hides malware, which is exactly what Chinese hackers did – they hid malware in VLC player.

Symantec cybersecurity experts say a Chinese advanced persistent threat hacker (APT) group called Cicada (or Stone Panda or APT10) uses VLC on Windows systems to run malware used to spy on government and NGOs.

The victims of this campaign, which has been going on for several months, are governmental, legal, religious and non-governmental organizations in several countries in Europe, Asia and North America. Targets of Chinese hackers have been identified in the United States, Canada, Hong Kong, Turkey, Israel, India, Montenegro and Italy. One victim is in Japan, which is interesting because Cicada was previously focused on Japanese companies.

The attackers spent as much as nine months on the networks of some of the victims.

In 2018, US government officials linked Cicada’s attacks to the Chinese government, and the group’s first espionage activities were noticed in 2009.

Cicada takes over the clean version of VLC and runs the malware via the VLC Export function. This is a technique that hackers often rely on to get malware into what would otherwise be legitimate software. Cicada then uses the WinVNC remote access tool to fully take over the compromised system. When they gain access to victims’ devices, hackers use various tools such as Sodamaster backdoor to prevent detection, which scans targeted systems, downloads more malicious packets and “blurs” communication between compromised systems and hacker-controlled command and control servers. Sodamaster is a tool that is believed to be used only by this group from 2020, and maybe even earlier.

The VLC attacks, which Symantec believes may still be ongoing, began in 2021 after hackers exploited the well-known and now patched vulnerability of the Microsoft Exchange server to access victims’ networks. Researchers are pretty sure the malware is being used for espionage.

The same group has in the past attacked the healthcare, defense, aviation, shipping, biotechnology and energy sectors.

Simultaneous attacks on several large organizations in different parts of the world require a lot of resources and skills that can mostly be seen only in groups backed by states.

Source: by

*The article has been translated based on the content of by If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!

*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.

*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!